Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

The attackers are taking advantage of websites running on the WordPress platform that have not yet updated to the most recent version. Researchers at SiteLock estimate that some 20 attackers are vying for these illicit dollars, some defacing sites multiple times, sometimes removing links and solicitations left behind by other criminals and replacing those with their own.

“The ease of execution is so low and so easy, we’re seeing script kiddies pick up this exploit and have a field day with it,” said Logan Kipp of SiteLock. “We’re seeing these 20 or so different actors fighting over control and overwriting defacements, many times minutes apart.”

The defacements started out largely as bragging escapades by hackers, but quickly escalated to these profit-motivated attacks.

“This is the first case we’re aware of where someone is trying for monetary gain,” Kipp said. “They’re trying to get you to visit rogue pharmacy sites where there’s an equally high chance they’re going to steal your credit card number and run. North of 50 percent of the time, that’s the case with these sites.”

The vulnerability, found and privately disclosed by researchers at Sucuri, allows an attacker with one line of exploit code to access the API and change site content and URL permalinks. The issue lies in the way the REST API manages access. It does so by favoring values such as GET and POST rather than existing values. Any request with letters in its ID would bypass a permission check and essentially grant an attacker admin privileges.

“It’s very simple to execute,” Kipp said of the exploit, which is publicly available on many sources. “We’re seeing people use it this way—20 hackers with 100 or more defacements apiece—now looking to make money. This was absolutely inevitable.”

The REST API endpoint vulnerability was introduced in WordPress 4.7 in December, and silently patched earlier this month because of its severity. Since WordPress is packaged with automatic updates turned on by default, most installations are updated and secured. Those that have disabled the feature, or any updates that failed, remain vulnerable; SiteLock estimates this number to be between 15 percent and 20 percent of WordPress sites.

“Short of patching, it’s a simple fix: Treat it like a cross-site scripting vulnerability and sanitize the values coming in over the API controller,” Kipp said. “Doing this could neuter the problem.”

Overall, WordPress site defacements because of this vulnerability escalated quickly from tens of thousands to more than 800,000 in a 48-hour period les sthan two weeks ago. The reason, according to WordFence, a WordPress security plugin developer, is that attackers refined attacks to bypass a rule that WordFence and others had implemented to stem the tide of attacks. Two different campaigns tracked by WordFence were responsible for close to 700,000 defacements on their own.

“In the actual core, having a vulnerability is rare,” Kipp said. “This was a big one yes, but it was handled well and patched in a short amount of time. Most users are not impacted.”

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.